470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2023 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe
Size

4.5MB
MD5

017300290a76c8f09d40d9076a50375f
SHA1

d01fb6cf152847b09dd78e315b0b467f65db7a96
SHA256

470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe
SHA512

4f8c18094bab67e1ff362487d1b493a9173a9445b345fe87612d83615ee76f797ae668408ff72e89659c79216e4956399113807bbef9ac35b5be00f139bc9cbf
SSDEEP

98304:KT562OBvLIlCzqHlvkBPsxGe30/IJ2ajCFVBIsO/ZV9kGE:KT56FRzqFOsxGe3vMvS4

Score

8^/10

pyinstaller

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\h.sys	470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe

Executes dropped EXE 2 IoCs

pid	Process
2036	service.exe
1704	service.exe

Loads dropped DLL 6 IoCs

pid	Process
1704	service.exe
1704	service.exe
1704	service.exe
1704	service.exe
1704	service.exe
1704	service.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/388-192-0x0000000000400000-0x0000000000D29000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\service.exe	470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000600000002321a-139.dat	pyinstaller
behavioral2/files/0x000600000002321b-143.dat	pyinstaller
behavioral2/files/0x000600000002321b-144.dat	pyinstaller
behavioral2/files/0x000600000002321b-164.dat	pyinstaller

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3464	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2036	388	470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe	86
PID 388 wrote to memory of 2036	388	470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe	86
PID 388 wrote to memory of 2036	388	470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe	86
PID 2036 wrote to memory of 1704	2036	service.exe	87
PID 2036 wrote to memory of 1704	2036	service.exe	87
PID 2036 wrote to memory of 1704	2036	service.exe	87
PID 388 wrote to memory of 4980	388	470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe	90
PID 388 wrote to memory of 4980	388	470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe	90
PID 388 wrote to memory of 4980	388	470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe	90
PID 4980 wrote to memory of 3464	4980	cmd.exe	92
PID 4980 wrote to memory of 3464	4980	cmd.exe	92
PID 4980 wrote to memory of 3464	4980	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe
"C:\Users\Admin\AppData\Local\Temp\470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\SysWOW64\service.exe
  C:\Windows\SysWOW64\service.exe --startup auto install
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\service.exe
    C:\Windows\SysWOW64\service.exe --startup auto install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping 127.0.0.1 -n 3&del /q "C:\Users\Admin\AppData\Local\Temp\470c5c6457eec9413408c9485b6d27619fc568bc0d4c5f862b10a397b7346bbe.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI20362\python27.dll

Filesize
2.5MB

MD5
9e9e57b47f4f840dddc938db54841d86

SHA1
1ed0be9c0dadcf602136c81097da6fda9e07dbbc

SHA256
608feafc63a0d1b38772e275c9e6d3b8a5b03efc0a27eb397107db0a6d079c50

SHA512
1a0dab38ebf4d995bcda3bdf0453c85d524cc1fff1c1b92160794d7c2f98f53088ba15c4b00b35d06e0be82a4bfa6d92cd4f09dec4ec98d615a82d5ffd5cb6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\python27.dll

Filesize
2.5MB

MD5
9e9e57b47f4f840dddc938db54841d86

SHA1
1ed0be9c0dadcf602136c81097da6fda9e07dbbc

SHA256
608feafc63a0d1b38772e275c9e6d3b8a5b03efc0a27eb397107db0a6d079c50

SHA512
1a0dab38ebf4d995bcda3bdf0453c85d524cc1fff1c1b92160794d7c2f98f53088ba15c4b00b35d06e0be82a4bfa6d92cd4f09dec4ec98d615a82d5ffd5cb6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\pywintypes27.dll

Filesize
108KB

MD5
c7d86a10bfcd65e49a109125d4ebc8d9

SHA1
5b571dc6a703a7235e8919f69c2a7a5005ccd876

SHA256
c4db872ff7d301186516882ea06422aee29e1c11b44a4d382addd5b801207818

SHA512
b7563b4d27713ec4308c24a0b15c02fb16e184b98bb73a4616792508f4ba57fe237186595b55e3fa476d6959388edd8678ea516ce620ee90c909a7b988d8b908

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\pywintypes27.dll

Filesize
108KB

MD5
c7d86a10bfcd65e49a109125d4ebc8d9

SHA1
5b571dc6a703a7235e8919f69c2a7a5005ccd876

SHA256
c4db872ff7d301186516882ea06422aee29e1c11b44a4d382addd5b801207818

SHA512
b7563b4d27713ec4308c24a0b15c02fb16e184b98bb73a4616792508f4ba57fe237186595b55e3fa476d6959388edd8678ea516ce620ee90c909a7b988d8b908

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\service.exe.manifest

Filesize
1KB

MD5
cc048eab9644acf8fc7a2ad35486ec74

SHA1
45ceb55fd44dadfbb794ff845d1feacf3783bbec

SHA256
e55f7644b2c9658ffeeefd202261f0584499d9a36e26a44dc462c8bc9b71db5f

SHA512
3d21cbfcfa4d358cb2a34e65061a2fc1210e7c999550e3f5323e7ed861744f4d1e66e5decece9c60b8e88b18ba83d736617b2e916ee3870e4d2a30df534f6aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\servicemanager.pyd

Filesize
26KB

MD5
94c9dd414133b4a7c6f4e0b32d13e41e

SHA1
5f3ed20517256d8c12f2ad1715e964ca4879937b

SHA256
3159d43c4fbf3fe493a3d645ab300f95d29b0be11181cd2a7690b39d0cacf42e

SHA512
e846af6aa8e19b37435b4ee1f0d103e5a6bcbdcaefabb47968316692e1d1872167663f518ed0d16b7fe402ca063fef22f85118eaa2095dd5291308a6f01df6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\servicemanager.pyd

Filesize
26KB

MD5
94c9dd414133b4a7c6f4e0b32d13e41e

SHA1
5f3ed20517256d8c12f2ad1715e964ca4879937b

SHA256
3159d43c4fbf3fe493a3d645ab300f95d29b0be11181cd2a7690b39d0cacf42e

SHA512
e846af6aa8e19b37435b4ee1f0d103e5a6bcbdcaefabb47968316692e1d1872167663f518ed0d16b7fe402ca063fef22f85118eaa2095dd5291308a6f01df6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\win32api.pyd

Filesize
98KB

MD5
c8311157b239363a500513b04d1f6817

SHA1
791d08f71c39bb01536f5e442f07ac7a0416b8a7

SHA256
7de358652c1732caf72f968a664301e256aae281003ddcb0f5ecef4b13101009

SHA512
ab9dadd65c582f2b12af49448fa4f5a96da00abcc257722331ac7e9cad2e2770fdb7a0f2db32c113f2df33e6c84c8c0d594a36f1fb4f3a9ccdb8f3dc1ddfbdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\win32api.pyd

Filesize
98KB

MD5
c8311157b239363a500513b04d1f6817

SHA1
791d08f71c39bb01536f5e442f07ac7a0416b8a7

SHA256
7de358652c1732caf72f968a664301e256aae281003ddcb0f5ecef4b13101009

SHA512
ab9dadd65c582f2b12af49448fa4f5a96da00abcc257722331ac7e9cad2e2770fdb7a0f2db32c113f2df33e6c84c8c0d594a36f1fb4f3a9ccdb8f3dc1ddfbdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\win32event.pyd

Filesize
18KB

MD5
9875cd79cfb4137ef4b97407141a407f

SHA1
499ef019c4d10d2f9c86b7e335d723bd35b96123

SHA256
a9e176df950ba410ac34c2e92bf09a6c046eb91c7ad002d6b5f7bef60f0a4161

SHA512
1fb0ba196a00ca6a0a1a6e57667f460c2b8ca00bc7ce6363e066f24840ec9208a40140ced60802cdb28f1b621f490c84c89f5089f5c2985a4f3fd494ddab590e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\win32event.pyd

Filesize
18KB

MD5
9875cd79cfb4137ef4b97407141a407f

SHA1
499ef019c4d10d2f9c86b7e335d723bd35b96123

SHA256
a9e176df950ba410ac34c2e92bf09a6c046eb91c7ad002d6b5f7bef60f0a4161

SHA512
1fb0ba196a00ca6a0a1a6e57667f460c2b8ca00bc7ce6363e066f24840ec9208a40140ced60802cdb28f1b621f490c84c89f5089f5c2985a4f3fd494ddab590e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\win32service.pyd

Filesize
41KB

MD5
62f3443a98f1339451e49591756ca948

SHA1
979b047f0fcb51197bce49c1514a15dd81682ad2

SHA256
d87c834ec643a328b56848ac3ed4a1196ea77ea81884c8a08742f6e771ebc096

SHA512
731d80a73d677971d1065dfac80bde20f7c85b8a1bc608cd3e74d9ecdf6e10d72d0ff15a5d2a00c4d43b7d00909fa1779af60a195fe2a169aff14f07acbebe38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\win32service.pyd

Filesize
41KB

MD5
62f3443a98f1339451e49591756ca948

SHA1
979b047f0fcb51197bce49c1514a15dd81682ad2

SHA256
d87c834ec643a328b56848ac3ed4a1196ea77ea81884c8a08742f6e771ebc096

SHA512
731d80a73d677971d1065dfac80bde20f7c85b8a1bc608cd3e74d9ecdf6e10d72d0ff15a5d2a00c4d43b7d00909fa1779af60a195fe2a169aff14f07acbebe38

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut68BC.tmp

Filesize
3.8MB

MD5
cdac98f3815c2e3d62f95fdd9143e235

SHA1
beb9c3b8ce67f10bbdd5bd079a36676e4b7647c2

SHA256
4ada1f96457de05401063ab99c4c98e128c7417e502d222e38eed76246db1b2d

SHA512
fcb9bd01de3d74d357a3e0e31dc4360d9bd8d39e055d7c3ea5486da81052ceba2cfccdefb1e592073f29dffea0b4ba1c528dcc46ddca2b883a87bf1947d7e5a4

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
3.8MB

MD5
cdac98f3815c2e3d62f95fdd9143e235

SHA1
beb9c3b8ce67f10bbdd5bd079a36676e4b7647c2

SHA256
4ada1f96457de05401063ab99c4c98e128c7417e502d222e38eed76246db1b2d

SHA512
fcb9bd01de3d74d357a3e0e31dc4360d9bd8d39e055d7c3ea5486da81052ceba2cfccdefb1e592073f29dffea0b4ba1c528dcc46ddca2b883a87bf1947d7e5a4

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
3.8MB

MD5
cdac98f3815c2e3d62f95fdd9143e235

SHA1
beb9c3b8ce67f10bbdd5bd079a36676e4b7647c2

SHA256
4ada1f96457de05401063ab99c4c98e128c7417e502d222e38eed76246db1b2d

SHA512
fcb9bd01de3d74d357a3e0e31dc4360d9bd8d39e055d7c3ea5486da81052ceba2cfccdefb1e592073f29dffea0b4ba1c528dcc46ddca2b883a87bf1947d7e5a4

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
3.8MB

MD5
cdac98f3815c2e3d62f95fdd9143e235

SHA1
beb9c3b8ce67f10bbdd5bd079a36676e4b7647c2

SHA256
4ada1f96457de05401063ab99c4c98e128c7417e502d222e38eed76246db1b2d

SHA512
fcb9bd01de3d74d357a3e0e31dc4360d9bd8d39e055d7c3ea5486da81052ceba2cfccdefb1e592073f29dffea0b4ba1c528dcc46ddca2b883a87bf1947d7e5a4

Download Submit
memory/388-133-0x0000000000400000-0x0000000000D29000-memory.dmp

Filesize
9.2MB

Download
memory/388-192-0x0000000000400000-0x0000000000D29000-memory.dmp

Filesize
9.2MB

Download
memory/1704-178-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2036-191-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download